[package score] Add replacement for info command

pvdz · pvdz · commit 914b14b03e0d · 2025-03-18T12:05:24.000+01:00
diff --git a/src/cli.ts b/src/cli.ts
@@ -25,6 +25,7 @@ import { cmdNpx } from './commands/npx/cmd-npx'
 import { cmdOops } from './commands/oops/cmd-oops'
 import { cmdOptimize } from './commands/optimize/cmd-optimize'
 import { cmdOrganization } from './commands/organization/cmd-organization'
+import { cmdPackage } from './commands/package/cmd-package'
 import { cmdRawNpm } from './commands/raw-npm/cmd-raw-npm'
 import { cmdRawNpx } from './commands/raw-npx/cmd-raw-npx'
 import { cmdReport } from './commands/report/cmd-report'
@@ -61,6 +62,7 @@ void (async () => {
         oops: cmdOops,
         optimize: cmdOptimize,
         organization: cmdOrganization,
+        package: cmdPackage,
         'raw-npm': cmdRawNpm,
         'raw-npx': cmdRawNpx,
         report: cmdReport,
diff --git a/src/commands/package/cmd-package-score.test.ts b/src/commands/package/cmd-package-score.test.ts
@@ -0,0 +1,103 @@
+import path from 'node:path'
+
+import { describe, expect } from 'vitest'
+
+import constants from '../../../dist/constants.js'
+import { cmdit, invokeNpm } from '../../../test/utils'
+
+const { CLI } = constants
+
+describe('socket package score', async () => {
+  // Lazily access constants.rootBinPath.
+  const entryPath = path.join(constants.rootBinPath, `${CLI}.js`)
+
+  cmdit(['package', 'score', '--help'], 'should support --help', async cmd => {
+    const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+    expect(stdout).toMatchInlineSnapshot(
+      `
+      "Look up info regarding a package
+
+        Usage
+          $ socket package score <<ecosystem> <name> [<name> ...] | <purl> [<purl> ...]>
+
+        Options
+          --dryRun          Do input validation for a command and exit 0 when input is ok
+          --help            Print this help.
+          --json            Output result as json
+          --markdown        Output result as markdown
+
+        Show scoring details for one or more packages.
+        Only a few ecosystems are supported like npm, golang, and maven.
+
+        If the first arg is an ecosystem, remaining args that are not a "purl" are
+        assumed to be scoped in that ecosystem. If the first arg is in "purl" form
+        then all args must be in purl form ("package url": \`pkg:eco/name@version\`).
+
+        This command takes 100 quota units.
+        This command requires \`packages:list\` scope access on your API token.
+
+        Examples
+          $ socket package score npm webtorrent
+          $ socket package score npm webtorrent@1.9.1
+          $ socket package score npm/webtorrent@1.9.1
+          $ socket package score maven webtorrent babel
+          $ socket package score npm/webtorrent golang/babel
+          $ socket package score npm npm/webtorrent@1.0.1 babel"
+    `
+    )
+    expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+      "
+         _____         _       _        /---------------
+        |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
+        |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
+        |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>"
+    `)
+
+    expect(code, 'help should exit with code 2').toBe(2)
+    expect(stderr, 'header should include command (without params)').toContain(
+      '`socket package score`'
+    )
+  })
+
+  cmdit(
+    ['package', 'score', '--dry-run'],
+    'should require args with just dry-run',
+    async cmd => {
+      const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`""`)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
+          |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>
+
+        \\x1b[31m\\xd7\\x1b[39m \\x1b[41m\\x1b[37mInput error\\x1b[39m\\x1b[49m: Please provide the required fields:
+
+              - Expecting an ecosystem \\x1b[31m(missing!)\\x1b[39m
+
+              - Expecting at least one package \\x1b[31m(missing!)\\x1b[39m"
+      `)
+
+      expect(code, 'dry-run should exit with code 2 if missing input').toBe(2)
+    }
+  )
+
+  cmdit(
+    ['package', 'score', 'npm', 'babel', '--dry-run'],
+    'should require args with just dry-run',
+    async cmd => {
+      const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
+          |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>"
+      `)
+
+      expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)
+    }
+  )
+})
diff --git a/src/commands/package/cmd-package-score.ts b/src/commands/package/cmd-package-score.ts
@@ -0,0 +1,99 @@
+import colors from 'yoctocolors-cjs'
+
+import { logger } from '@socketsecurity/registry/lib/logger'
+
+import { showPurlInfo } from './show-purl-info'
+import constants from '../../constants'
+import { commonFlags, outputFlags } from '../../flags'
+import { meowOrExit } from '../../utils/meow-with-subcommands'
+import { getFlagListOutput } from '../../utils/output-formatting'
+
+import type { CliCommandConfig } from '../../utils/meow-with-subcommands'
+
+const { DRY_RUN_BAIL_TEXT } = constants
+
+const config: CliCommandConfig = {
+  commandName: 'score',
+  description: 'Look up info regarding a package',
+  hidden: false,
+  flags: {
+    ...commonFlags,
+    ...outputFlags
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} <<ecosystem> <name> [<name> ...] | <purl> [<purl> ...]>
+
+    Options
+      ${getFlagListOutput(config.flags, 6)}
+
+    Show scoring details for one or more packages.
+    Only a few ecosystems are supported like npm, golang, and maven.
+
+    If the first arg is an ecosystem, remaining args that are not a "purl" are
+    assumed to be scoped in that ecosystem. If the first arg is in "purl" form
+    then all args must be in purl form ("package url": \`pkg:eco/name@version\`).
+
+    This command takes 100 quota units.
+    This command requires \`packages:list\` scope access on your API token.
+
+    Examples
+      $ ${command} npm webtorrent
+      $ ${command} npm webtorrent@1.9.1
+      $ ${command} npm/webtorrent@1.9.1
+      $ ${command} maven webtorrent babel
+      $ ${command} npm/webtorrent golang/babel
+      $ ${command} npm npm/webtorrent@1.0.1 babel
+  `
+}
+
+export const cmdPackageScore = {
+  description: config.description,
+  hidden: config.hidden,
+  run
+}
+
+async function run(
+  argv: string[] | readonly string[],
+  importMeta: ImportMeta,
+  { parentName }: { parentName: string }
+): Promise<void> {
+  const cli = meowOrExit({
+    argv,
+    config,
+    importMeta,
+    parentName
+  })
+
+  const { json, markdown } = cli.flags
+  const [ecosystem, ...pkgs] = cli.input
+
+  if (!ecosystem || !pkgs.length || !pkgs[0]) {
+    // Use exit status of 2 to indicate incorrect usage, generally invalid
+    // options or missing arguments.
+    // https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
+    process.exitCode = 2
+    logger.fail(`${colors.bgRed(colors.white('Input error'))}: Please provide the required fields:\n
+      - Expecting an ecosystem ${!ecosystem ? colors.red('(missing!)') : colors.green('(ok)')}\n
+      - Expecting at least one package ${!pkgs.length || !pkgs[0] ? colors.red('(missing!)') : colors.green('(ok)')}\n
+    `)
+    return
+  }
+
+  const purls = pkgs.map(pkg => {
+    return 'pkg:' + ecosystem + '/' + pkg
+  })
+
+  if (cli.flags['dryRun']) {
+    logger.log(DRY_RUN_BAIL_TEXT)
+    return
+  }
+
+  await showPurlInfo({
+    // commandName: `${parentName} ${config.commandName}`,
+    // includeAllIssues: Boolean(all),
+    outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
+    purls
+    // strict: Boolean(strict)
+  })
+}
diff --git a/src/commands/package/cmd-package.test.ts b/src/commands/package/cmd-package.test.ts
@@ -0,0 +1,70 @@
+import path from 'node:path'
+
+import { describe, expect } from 'vitest'
+
+import constants from '../../../dist/constants.js'
+import { cmdit, invokeNpm } from '../../../test/utils'
+
+const { CLI } = constants
+
+describe('socket manifest', async () => {
+  // Lazily access constants.rootBinPath.
+  const entryPath = path.join(constants.rootBinPath, `${CLI}.js`)
+
+  cmdit(['manifest', '--help'], 'should support --help', async cmd => {
+    const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+    expect(stdout).toMatchInlineSnapshot(
+      `
+      "Generate a dependency manifest for given file or dir
+
+        Usage
+          $ socket manifest <command>
+
+        Commands
+          auto              Auto-detect build and attempt to generate manifest file
+          gradle            [beta] Use Gradle to generate a manifest file (\`pom.xml\`) for a Gradle/Java/Kotlin/etc project
+          kotlin            [beta] Use Gradle to generate a manifest file (\`pom.xml\`) for a Kotlin project
+          scala             [beta] Generate a manifest file (\`pom.xml\`) from Scala's \`build.sbt\` file
+
+        Options
+          --dryRun          Do input validation for a command and exit 0 when input is ok
+          --help            Print this help.
+
+        Examples
+          $ socket manifest --help"
+    `
+    )
+    expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+      "
+         _____         _       _        /---------------
+        |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
+        |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
+        |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest\`, cwd: <redacted>"
+    `)
+
+    expect(code, 'help should exit with code 2').toBe(2)
+    expect(stderr, 'header should include command (without params)').toContain(
+      '`socket manifest`'
+    )
+  })
+
+  cmdit(
+    ['manifest', 'mootools', '--dry-run'],
+    'should require args with just dry-run',
+    async cmd => {
+      const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(
+        `"[DryRun]: No-op, call a sub-command; ok"`
+      )
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
+          |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest\`, cwd: <redacted>"
+      `)
+
+      expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)
+    }
+  )
+})
diff --git a/src/commands/package/cmd-package.ts b/src/commands/package/cmd-package.ts
@@ -0,0 +1,31 @@
+import { cmdPackageScore } from './cmd-package-score'
+import { meowWithSubcommands } from '../../utils/meow-with-subcommands'
+
+import type { CliSubcommand } from '../../utils/meow-with-subcommands'
+
+const description = 'Commands relating to looking up published packages'
+
+export const cmdPackage: CliSubcommand = {
+  description,
+  hidden: true, // [beta]
+  async run(argv, importMeta, { parentName }) {
+    await meowWithSubcommands(
+      {
+        score: cmdPackageScore
+      },
+      {
+        aliases: {
+          pkg: {
+            description,
+            hidden: true,
+            argv: []
+          }
+        },
+        argv,
+        description,
+        importMeta,
+        name: parentName + ' package'
+      }
+    )
+  }
+}
diff --git a/src/commands/package/fetch-package-info.ts b/src/commands/package/fetch-package-info.ts
@@ -0,0 +1,43 @@
+import { logger } from '@socketsecurity/registry/lib/logger'
+import { SocketSdkResultType, SocketSdkReturnType } from '@socketsecurity/sdk'
+
+import constants from '../../constants'
+import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api'
+import { getPublicToken, setupSdk } from '../../utils/sdk'
+
+export async function fetchPackageInfo(
+  purls: string[]
+): Promise<SocketSdkReturnType<'batchPackageFetch'>> {
+  const socketSdk = await setupSdk(getPublicToken())
+
+  // Lazily access constants.spinner.
+  const { spinner } = constants
+
+  logger.error(
+    `Requesting data for ${purls.length} package urls (purl): ${purls.join(', ')}`
+  )
+  spinner.start(`Requesting data ...`)
+
+  const result: Awaited<SocketSdkResultType<'batchPackageFetch'>> =
+    await handleApiCall(
+      socketSdk.batchPackageFetch(
+        {
+          alerts: 'true'
+          // compact: false,
+          // fixable: false,
+          // licenseattrib: false,
+          // licensedetails: false
+        },
+        { components: purls.map(purl => ({ purl })) }
+      ),
+      'looking up package'
+    )
+
+  spinner.successAndStop('Request completed')
+
+  if (result.success) {
+    return result
+  } else {
+    handleUnsuccessfulApiResponse('batchPackageFetch', result)
+  }
+}
diff --git a/src/commands/package/log-package-info.ts b/src/commands/package/log-package-info.ts
diff --git a/src/commands/package/show-purl-info.ts b/src/commands/package/show-purl-info.ts
diff --git a/src/utils/api.ts b/src/utils/api.ts
